Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
Showing results for 
Search instead for 
Did you mean: 
Former Member

Configuring structural authorizations for the first time:

Now that you have already learned about the basis of some features of the structural authorization, we are ready to start the configuration to set on the structural profile.

After this topic, you will know how to activate the structural profiles to transactions and reports. In order to make things easy to understand, we will follow a chronologic sequence of the IMG activities and process requirements.

Make a list of all objects you work in HR modules:

This is not an IMG activity but is imperative you know that before start configuring your structural profiles. Below there is a small list according the submodule to help you understand which the objects are.




Object Name




Aplicant Person


Personal Administration




Organizational Management


Organizational Unit


Organizational Management




Organizational Management




Organizational Management


Cost Center


Organizational Management


Job Family


Training & Event Management




Training & Event Management


Formation type


Training & Event Management




Training & Event Management




Training & Event Management


Formation Group




Appraisal Template




Criteria Group












Qualification Group

Examples of objects per submodules

Activate ORGPD object:

This authorization object is responsible for make the HR transactions respect the evaluation path that you will create in the next steps. There are some ways to do

1)By accessing the transaction OOAC, you must set the object ORGPD to one.

2)In TCODE SM30 access the table V_T77S0 and set the object ORGPD to one.

In order to understand more about ORGPD object you may want to look on the following URL:


Constructing the evaluation path or using a standard one:

This is probably the most important and difficult part of the configuration of your structural profile.

First, because you have to understand how an evaluation path works and then you have to study all the standard evaluation paths to be capable of define if you are using a standard one or creating a custom one.

To manage the evaluation paths you have to access the IMG Personnel Management > Organizational Management > Basic Settings > Maintain Evaluation Path.

  To help you understand this concept I will explain two cases (one standard and one custom).

Standard O-O-S-P evaluation Path:

This is one standard evaluation path used to reach all employees directly or indirectly subordinated to a manager and it works as follow:

1)    O – B002 – O: This first step starts in the org unit of the manager and returns for the eval. path all the other organizational units that this manager is responsible for;

2)    O – B003 – S: After find all the organizational units subordinated to a manager, this second line returns all the positions that belong to any of the org. units returned in the step one;

3)    S – A008 – P: With all the positions, now the system is able to reach every person who occupies this position through the relationship A008;

Pay attention at the beginning of the eval path because this will be your root object (in this case the manager organizational unit).

Custom  ZINTERIN evaluation Path:

This was a custom evaluation path built to attend a need of the organization. In this case, we created a relationship Z12 (line two) to identify a manager (or even an employee) who is replacing another manager for a determined period.

In this case, to the structural profile, I need first to find who temporarily administrates certain org unit and then reach all the employees directly or indirectly subordinated and this evaluation path works as follow:

1)    O – B003 – S: Our evaluation path here also starts by the org unit and in this case the org unit used contains the position of our temporary manager;

2)    S – AZ12 – O: Now, as our temporary manager could be another manager or even an employee that works in one org unit with other employees, we need to look for the Z12 relationship and then return which org units this person temporarily manages;

3)    O – B002 – O: Now, with the org unit administrated by this temporary manager, I have to look if this one have others org units subordinated and return them to my eval path;

4)    O – B003 – S: Now with all the org units I have to start looking for the positions (S) that belongs to each of those org units;

5)    S – A008 – P: Finally now with all the positions I am capable to reach the subordinated employees (P);

This is my custom evaluation path built to reach all the employees starting by the O of a temporary manager.  

Remember that is very important to know which will be your root object for your evaluation path, this information you will need latter.

Other relevant information is that as you can see, this two evaluation paths brings a list with all the O, S and P objects directly or indirectly subordinated to a manager.

Creating your Structural profile:

Considering that, you have already created your custom evaluation paths or defined the standard ones that you will use. Now it is time to create the structural profile.

However, before we start, you will need to understand what the structural profile is.

We have already seen that one evaluation path is a group of objects with a relationship bound and if used together it provide us a list of all objects involved since the starting point (root object) till the final object that we want to reach.

With this understanding, a structural profile is a group of objects and/or evaluation paths that provide this profile with all the objects the user will need to work.

The configuration of the structural profile can be done by accessing the transaction code OOSP or by the IMG path: Personal Management > Organizational Management > Basic Settings > Authorization Management > Structural Authorization > Maintain Structural Profiles.

To set the structural profile you have to:

1. Create one structural profile and chose a name for him;

Note: Don´t ever remove the standard entries. They are used as a default profile to anyone without the profile you are creating.

2. Inside your authorization profile, now set the objects and his respective evaluation paths.

This Screen is compose by the following fields:

a) Auth.Profile: Makes the bound between the object you are configuring and the structural profile you have created in the previous screen;

b) No: This field creates a sequence, which the objects will be reached. E.g.: If look for C object using A007 relationship, you may need first to find the positions with O-O-S-P;

c) Plan Vers: Usually you will use current plan (01);

d) Obj. Type: This field is very important because people usually don´t understand how it works. Here you have to put your ROOT object. This field determines the type of object that your evaluation path needs to reach his destination. Look at NO 1 & 2; there you can see that the OBJ type is the same as we explained during the creation of the evaluation path;

e) Object I: This field is to fill with the ID of your ROOT object. You can select fixed objects to be your root by informing this field or you can use the last field of this customizing setting a function module to do it dynamically. My advice is to avoid let fixed IDs as root object, this way you will need to create several profiles and can be hard to maintain all those profiles;

f) Maint.: This flag determines if you can maintain or not the objects reached by your root object through your evaluation path. E.G.: Update, create, eliminate objects and so on;

g) Eval.path: Here you fill with the evaluation path you have created. Here you can see that some Obj. Types has no eval. Path and no root object. This means that the users can see all those objects without any structural control.

You may be wondering so why I put those objects inside the structural authorization if I do not need to restrict them accordingly the organizational structure.

Remember that in the beginning of this document I wrote that once you turn on the structural authorization and set a profile to a user, EVERY HR object would have influence by these structural profiles. This means that if you forgot or ignore any object (E.G: C - Job) you will restrict the user using this profile and it won’t be able to see any object of this type created.

Therefore, if you don’t need to control certain objects through the structural authorization, you must inform him anyway in your structural profile but without evaluation path, root object ID or function module;

h) Status Vec : Is the status of the objects considered, in this case we considered only status one and two (Active and Planned);

i) Depth: This fiels is used to limit the information shown in your report E.G.: in your eval. Path to certain manager the system returns ten levels of subordinated org. units but in this field, you have set level six. So in your report you will see the employees only till Level 6 of subordinated organizational units. If you don’t want to have this control, leave this field as blank as I did in my customizing;

j) Sign: In this field you can define the direction of your evaluation path top down (+ or <blank>)/bottom up (-). By default, this direction is set as blank so it is top down but if you want, you can change the direction by putting the – sign and then your evaluation path will be bottom up;

k) Period: Here you have to inform the period that the user can see the data. The functionality of period was already explained in the beginning of this document;

l) Function Module: SAP provides two standard FM to set dynamically the ID of root objects. These two FM provides IDs to ROOT objects of org. units.

They are RH_GET_MANAGER_ASSIGNMENT responsible to get the ID of the org unit considering the relationship A012 and RH_GET_ORG_ASSIGNMENT responsible to get the ID of the org unit considering the relationship B003.

These function modules starts by the USER then reach the person, who has the user, then reach the position, which this person occupies, and then use the relationships above to determine the ID of the org unit in the root object.

After you configure all these fields you structural profile is ready. Now you have to set your profile to the user or to a group of user as you need.

Setting the Structural profile to a user or a group of users:

Here goes the final part of the creation of the structural profiles. Now that we have already defined the objects and its evaluation paths, have created and configured the structural profile, now it is time to set your profile to a user.

There are two ways of accomplish this activity as we will explain below.


Through the transaction code OOSB you can maintain manually setting the username, the profile the start and end date and an exclusion flag can be marked or not.

Note: The exclusion flag when marked changes de logic of the structural authorization hiding de objects found.

Here we created a new entry setting my profile zgestor to a user EXAMPLE now note in the image below that there is another entry with an ALL profile and SAP* in user name.

This is a default entry and gives a default all profile to every user in the system, which had not been created. You must NEVER delete this entry, because if you do, you will have to create one entry to every user of the system to grant them access.

The transaction OOSB can be very useful if you have a small number of users and want to make changes quickly. But in our case, we have more than six thousands employees and each one has one system user, so in this case we chose the second option as follows.


As I explained before when talking about useful reports, there is one report, in particular that is very useful to big structures like ours. This report is RHPROFL0 and it works considering the infotype 1017 - PD Profiles

This infotype can be crated to O – Organizational Unit, S – Position and/or C – Job and it has the same information used in OOSB TCODE.

This report works by comparing the users assigned to one of these three objects which has this infotype created and the T77UA table creating user which has infotype 1017 but don’t has entry in T77UA table and eliminating users in T77UA table which does not have entry in 1017 infotype anymore.

The 1017 infotype follows the order of the more specific to the less specific profile which means 1017 in S object is more relevant than 1017 in C object which is more relevant than 1017 in O object.

RHPROFL0 report image.

Previous document:http://scn.sap.com/docs/DOC-71580

Next document:http://scn.sap.com/docs/DOC-71578

Labels in this area